Book Excerpt: Cisco Secure Internet Security Solutions, part 2 - Page 2

By Cisco Press | Posted Sep 14, 2001
Page 2 of 5   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

For the basic configuration, you only need to add a few commands. This section takes much longer to read than it will actually take to configure the PIX. Start up the PIX Firewall and connect the inside interface into your local network. Connect the outside interface to the inside interface of your perimeter router. Do not connect these through the same switch or hub that runs your local network. The only path from the perimeter router to your LAN must travel through the PIX Firewall. Companies with multiple paths to the Internet should employ a PIX Firewall between each perimeter router and the LAN.

After showing you how to configure the PIX, the chapter explains what has been done. Using Telnet, enter the following commands. The lines are separated for clarity.

enable password enablepass encrypted
passwd password encrypted

 nameif ethernet0 outside security0
 nameif ethernet1 inside security100

 interface ethernet0 10baset
 interface ethernet1 10baset

 ip address outside 192.168.1.1 255.255.255.0
 ip address inside 10.1.1.254 255.255.255.0

 global (outside) 1 192.168.1.100 255.255.255.0
 nat (inside) 1 10.1.1.0 255.255.255.0 0 0

 route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
 route inside 10.1.1.0 255.255.255.0 10.1.1.1 1

 arp timeout 7200

 write mem

At this point, you have your basic configuration set. The next sections walk through each line that you entered and explain the significance of the commands.

password Commands
The first two lines set up your passwords. The first password line was set with the enable password command to enablepass. This was entered with the optional keyword encrypted. Using encrypted ensures that the password will not be revealed if you print out a copy of your configuration. The second line configures your Telnet password to password. The same rules that apply to router passwords apply to PIX passwords. For example, the enable password controls access to the enable commands.

nameif Command
The nameif command is used to label your interfaces and set the security levels for each of your interfaces. The first line sets the Ethernet0 interface to be called outside and to have a security level of zero. The next line labels the Ethernet1 interface as inside with a security level of 100. In other words, Ethernet0 is from now on called outside instead of Ethernet0 and is completely untrusted because it has a security level of zero. Ethernet1 is now called inside and is completely trusted. These are both the defaults and are necessary to the configuration. Ethernet0 is always outside and Ethernet1 is always inside. outside always has a security level of zero, and inside always has a security level of 100. Except for the inside and outside interfaces, an interface may be named anything you desire and will have a security level somewhere between 0 and 100. Remember that the higher a security level, the more it is trusted.

This is important because the default behavior of the PIX Firewall is relative to the security levels associated with the interfaces in question. Every interface has a higher security level than the outside interface. Therefore, by default, packets from any interface can travel through the outside interface. Conversely, no packets from the outside interface by default can travel to any other interface.

Suppose that your PIX had two additional interfaces, Ethernet2 and Ethernet3. You enter the following two lines:

 nameif ethernet2 joe security16
 nameif ethernet3 nancy security45
The joe interface (Ethernet2) has a security level of 16 and the nancy interface (Ethernet3) has a security level of 45. This is feasible because you can assign any security level to an interface and can call the interface anything you choose. In this scenario, packets from nancy could travel through the joe interface without any special configurations. Packets originating at joe cannot by default travel through the nancy interface because the nancy interface has a higher security level. The advanced configurations later in this chapter expand on this concept and use more realistic names for the interfaces.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter